Legal

Trust center

‍

Browse the certifications, policies, reports, and legal documentation that make CybSafe designed for the enterprise from the inside out.

‍

Last updated: 11 June 2026

‍

Security compliance

‍

ISO 27001

Cyber Essentials Plus

Infrastructure

Environment

AWS public cloud
All infrastructure defined in code
- All changes require reviews before deployed into non production environment then prompted into production
Separate AWS accounts for production infrastructure
- Dedicated accounts for all production infrastructure and data
- Production infrastructure is only deployed within production accounts
- Production data is only stored within production accounts
- No network connectivity between production accounts and networks and non-production accounts and networks

Access

Central identity provider for SSO
- Enforced strong MFA
- Enforces strong passphrase
- Conditional access requirements
SSO used for all services where possible
- Services without support for SSO and are limited and require MFA
Logging
- Retained for 12 months within a SIEM
- Includes:
  - Failed and successful authentication requests
  - Authentication configuration changes

Network security

Firewalls and security groups

All firewall and security group configuration is deny by default
Each service has a unique security group (virtual firewall) attached only permitting required traffic
All services are deployed into private subnets with no direct internet access
Outbound internet connections are via a NAT gateway with logging enabled

IDS/IPS

Real time monitoring with AWS Guard Duty
Real time monitoring of network traffic (VPC Flow Logs) and load balancer request
Alerts are raised to the DevOps team via Slack and Ops Genie

Logging

All defined networks (VPC - Virtual Private Clouds) have flow logs enabled
Load balancers have request logging enabled

Data security

Data sovereignty

Production data is stored within the London AWS region (eu-west-2)
Separate AWS accounts and networks for:
- production data, and
- non-production data

Encryption

At rest: AES-256 bit
In transit: a minimum of TLS 1.2
Encryption keys are stored within the AWS Key Management Service (KMS)
Keys rotated annually
Policies enforced to prevent deletion and limit change requests

Backups

31 day retention
Realtime backups within per minute granularity
AES-256 bit encryption
Transferred using TLS 1.2
Limited access to backup data for named privileged individuals with auditing in place

Retention

90 days from contract termination

Endpoint security

Workstations

Centrally managed via mobile device management
Enforced disk encryption
Centrally managed anti-malware software
Use of USB devices are restricted and monitored
Limited access via conditional access policies

Server infrastructure

Centrally managed via Infrastructure as Code projects
Centrally managed anti-malware deployed onto all instances - including production and non production infrastructure
Service specific roles deployed to all instances with minimal requirements

Logging

All defined networks (VPC - Virtual Private Clouds) have flow logs enabled
Load balancers have request logging enabled

Logging

Network

Network flow logs are enabled on all accounts and networks
Guard Duty is enabled for all services for all accounts

Audit trails

CloudTrail logs are enforced for all accounts and managed via AWS Organisations

Application

Network logs are enabled on all accounts and networks
Load balancer request logs are enabled on all accounts and services
Application logs:
- Request logs
- Trace logging for error handling
- Metrics

Storage and retention

All logs a centrally stored:
- Within a dedicated AWS account
- Within S3 buckets specific to services and regions
- Also sent to a SIEM for central monitoring and analysis
Logs stored for 12 months

Security and vulnerability management

Malware

Centralised anti-malware solution on all workstations and servers
Alerts feed into a SIEM and tickets managed by the DevOps Team

Vulnerability detection and management

Centrally managed vulnerability solution
Reports on all workstations, servers and containers
Alerts raised and managed with the DevOps team

Real time monitoring

Real time monitoring of cloud logs with both AWS Guard Duty and an external security solution
Behaviour based monitoring for anomaly detection
Real time alerting for configuration miss management and configuration changes

Access control

Role based access

Least privilege principles are followed
Role specific access
Access reviews

Audit trails

CloudTrail logs are enforced for all accounts and managed via AWS Organisations

MFA

Strong MFA enforced for all employees via a centralised IdP

Audit

Centralised audit logs for all user and service account activity

Encryption

At rest

All data is stored with AES-256 bit encryption
Backup data is also stored AES-256 bit encryption
Keys are rotated annually
Control policies for key deletion

In transit

Internal and external (public internet) enforces the use of SSL/TLS using a minimum of TLS 1.2
cybsafe.com is included in the HSTS preload database to prevent browsers from attempting to serve content from non-HTTPS endpoints
HTTP is enabled only for the purpose of providing a forceful HTTP to HTTPS redirect
- This happened at the edge of our network with no connection to any backend infrastructure to ensure sufficient segmentation

External platform integrations

A complete list of external platform integrations can be found here:
‍CybSafe platform external integrations

Reports

Network infrastructure diagram

High level solution diagram here

Penetration testing

Conducted annually by an external 3rd party
Report available on request

Contact information

For further information please contact trust@cybsafe.com